Firewall choice quiz
 

This will get a lot of different response... I have a question to pose and I want responses that have meat to back it up... The best Linux distro to base a first line of defense against the wild and wooly?

Here goes:

I want to build a secure system, a firewall in itself, netfilter, it will be an exposed system. Linux is of course my OS of choice, but which distro is the most inherently secure overall? I am currently leaning toward CentOS because of its functionality and stability, then hardening it to do the job. Throw some opinions at me... The current CentOS kernel is 2.6.18. Best is 2.6.31 vanilla stuff as of this writing. Not bad I guess... IPtables is 1.4.5 which I downloaded and compiled on my test system.

If you were building a first line of defense what would you do?

Thanks all for your advice.

->xxon

If it's just a firewall, I'd go with one of the firewall-leaning distros.

The problem with this question is that it's mostly irrelevant which is most secure by default, since you're not going to run a default system. And once you've configured the system, it's mostly irrelevant which one you started with.

The best one is the one you can most easily and most reliably secure.

</cop out>

Agreed. My goal is to create a secure system that can withstand attack (constant) from the wild. It has to be secure and at least promise prevention (lost cause). So, overall, is there a version of Linux with that built in? Open ports are always a hazard but necessary.

I would stay away from centos. They have been slipping on there security patches. 1 1/2 months after the red hat release for some recent patches. Long story why.

if you want a firewall based distro there are many options. IPCOP, smoothwall, clarkconnect, engrade, etc.

here is a list of a majority of them


http://en.wikipedia.org/wiki/List_of..._distributions

I haven't tried it yet, but I came across this while doing a search for security-focused versions of Linux:

"Owl", -- a security-enhanced server platform.
http://www.openwall.com/Owl/CONCEPTS.shtml

"Owl" (or "Openwall GNU/*/Linux"; please, note that only the "O" is capitalized in either case) is a security-enhanced operating system with Linux and GNU software as its core, compatible with other major distributions of GNU/*/Linux. It is intended as a server platform. And, of course, it's free.

Owl combines several approaches to reduce the number and/or impact of flaws in its software components and impact of flaws in third-party software that one might install on the system.

The primary approach used is proactive source code review for several classes of software vulnerabilities. However, because of the large amount of code, there's a certain level of "importance" for a software component or a part thereof to be audited. Currently, only pieces of code which are typically run with privileges greater than those of a regular user and/or typically process data obtained over a network are audited before the corresponding software component is included. This covers relevant code paths in many of the system libraries, all SUID/ SGID programs, all daemons and network services. Other software may be audited when it is already a part of Owl. Potential problems found during the audit are fixed or, in some pathological cases, may prevent the software component from being included. In general, code quality and privilege management are always considered when there's a choice between implementations of a feature. As the project evolves, many of the software components will be replaced with ones of our own.

When packaged for Owl, the software components are configured or, when necessary, modified in order to provide safe defaults, apply the least privilege principle, and introduce privilege separation. The use of safe defaults, where optional and potentially dangerous features need to be turned on explicitly, lets us audit the pieces of code used in in the default configuration in a more thorough way. Extra systems administration facilities ("owl-control") are provided for managing system features such as the optional SUID/SGID binaries independently from installing the corresponding packages. Every Owl package will have its audit status documented to allow for risk assessment.

The one thing that I'd add to that (make that two things, although one isn't really new)

• you don't want any surprises...if you know one distro intimately, its probably easier to work with that...so a distro which surprises you by running things just because you've installed them, when you hadn't expected that, would be bad news
• patches...you need prompt security patches...I haven't checked that on the specialist firewall distros, but if security was the priority, you'd need to be assured that patches got through the system promptly

...and this is the point: current flavour of the month seems to be brute force ssh attacks (probably be something else next month), which prompts the question 'Do you have a strategy for this?'. Just assuming that you can plug in a firewall box and have all of the problems go away is perhaps a little simple minded, so you have to know more and do more than that, if you want to keep your insecurity to a minimum. And keep up to date with what has become the latest threat of the month and have a strategy for that.

Consider the possibility that RedHat variants are very well studied by hackers and a number of attack kits exist to exploit it's file structure and setup; that would make me think twice about CentOS.

Nobody has approached it from this angle, so let me throw in the possibility of a distro geared for security from the get-go; Untangle Server.

I have heard that the Untangle Server is like an open source equivlent of a SonicWALL appliance minus the crypto enhancement chip. You get a lot of preconfigured functionality that's installable from an ISO.

You can recompile or enhance any functionality, but this was made for use as a first-line-of-defence gateway.

http://www.untangle.com/Downloads/Download-ISO

Have you checked out Vyatta? It's a commercial product, but every six months they release an upgrade, and put the old version into open source. They encourage prospective customers to try out their community version, to see if they like it, and then to buy support to get the most current version.

Vyatta is based on Debian, is well documented, and has an active community involvement. Check it out...